U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn't until security blogger Brian Krebs contacted the organization this month that it took any action.

The same researcher contacted Krebs. Krebs verified the flaw and contacted USPS, who this time "promptly addressed the issue".

The problem was an API with inadequate authentication. All it required was for the user to be logged in to gain unauthenticated access to aspects to the USPS 'Informed Visibility' service -- a service intended to provide near real-time tracking data.

Logged-in users could query the system for account details, including email address, username, user ID, street address, phone number and mailing campaign data for other users. Such information could be used by criminals for scamming and targeted phishing purposes.

"The flaw that allowed this to happen," comments Rusty Carter, VP of product management at Arxan, "was a component of the USPS Web site, an application program interface (API), which was designed to help business customers 'make better business decisions by providing them with access to near real-time tracking data' about mail campaigns and packages. Instead, it may have shared critical, competitive information about businesses mail campaign best practices, with anyone who stumbled upon the flaw."

"According to a One Poll study," he wrote, "businesses on average manage 363 different APIs, and two-thirds (69 percent) of those organizations are exposing their APIs to the public and their partners"

"When building out APIs," adds Carter, "organizations and developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker."

Although current information suggests the USPS API flaw merely allowed access to customer data, it is indicative of widespread lack of focus on API security. In August 2018, T-Mobile revealed that attackers had gained access to personal information for about 2.3 million of its customers.

The fault was a similarly unprotected API. In that incident, attackers described by T-Mobile as 'an international group', gained access to company servers. "Underprotected APIs remains a significant problem for many of today's web and mobile applications," commented Ilia Kolochenko, CEO at High-Tech Bridge. "DevSecOps efforts are nascent if not non-existent in many large companies. Developers tend to ignore security best-practices, being already busy enough with endless streams of new features requested by the business to remain competitive on the market."

This absolutely resonates with USPS, which made a net loss of $2.7 billion for FY 2017. In a statement issued in November 2017, it said, "Equally important in order to return to financial stability is continued aggressive actions on our part to innovate and constantly improve operational efficiency. The Postal Service has reduced its cost base by approximately $13 billion over the past decade, and we continue to take actions to reduce costs and improve efficiency."

At the time of writing, USPS has made no public statement on its website. In a statement shared with Krebs it said it has no information that the flaw was ever leveraged criminally, and that "the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.